Chapter 6 - Basic Configuration Guide | 27 |
Setting up SecurID Authentication
If you are using Security Dynamic’s ACE/Server software for user authentication, you must set up the IntraPort Enterprise-8 to communicate with the ACE/Server.
The Security Dynamics ACE/Server software performs dynamic two-factor SecurID authenti- cation. Dynamic two-factor authentication combines something the user knows – a memorized personal identification number (PIN) – with something the user possesses – a SecurID token which generates an unpredictable code every 60 seconds. This combination of PIN and SecurID tokencode represents a one-time PASSCODE and is transmitted to the ACE/Server software for verification. See Appendix C for information on how to obtain ACE/Server soft- ware and SecurID tokens.
To use ACE/Server software with the IntraPort Enterprise-8, you will need the following:
•ACE/Server software running on a supported platform (see the ACE/Server Installa- tion Guide or README document for a current list of ACE/Server-supported plat- forms and other server requirements)
•The VPN Client software, which functions as an ACE/Agent, running on a supported platform
•SecurID tokens, distributed to appropriate personnel who will use them to access the ACE/Server-protected ACE Agents, including the VPN Client
Setting the IntraPort Enterprise-8 for an ACE/Server
Just a few basic settings are required for the IntraPort Enterprise-8 to communicate with an ACE/Server.
•SecurID on
•Encryption method
•ACE/Server IP address
•Enable SecurID for a group of IntraPort users
CV: Use the SecurID Configuration Dialog Box (under Global/SecurID) to enable SecurID and set the encryption method and server address.
Use the SecurID tab in the VPN Group Configuration Dialog Box to enable SecurID for a group of users.
TB: Use the configure command and set the Enabled, EncryptMeth and PrimaryServer keywords in the SecurID section, then set the SecurIDRequired keyword in a VPN Group Name section.
ACE/Server Settings
To configure the ACE/Server for communication with the IntraPort Enterprise-8, consult the ACE/Server Installation Guide. You should consult the ACE/Server Administration Manual on the ACE/Server CD-ROM for instructions on adding and removing users in the ACE/Server database.
ϖNote: The IntraPort Enterprise-8 should be configured as a communication server in the Client Type pull-down menu in the ACE/Server’s Add Client dialog box (under Client/Add Client).
ϖNote: The first time the IntraPort Enterprise-8 contacts the ACE/Server, they exchange a secret based in part on the IntraPort’s IP address. After the first exchange, the Sent Node Secret checkbox in the ACE/Server’s Add Client dialog box (which can be accessed using the Add Client option under the Client menu) will be checked. The checkbox will be grayed out until this initial exchange has taken place. Any major changes to the IntraPort Enterprise-8’s configuration (such as changing its IP address) will mean that the IntraPort and the ACE/Server will no longer be able to communicate. To get around this, simply uncheck the Sent Node Secret checkbox on the ACE/Server and issue the reset securid secret command in the IntraPort. Remember to save the changes to both devices. The two devices will do a new secret exchange and will be able to communicate again.
